How to make Mac OS X well-behaved unix system

Scope of this how-to is an installation of Mac OS in a more secure manner,
making Mac OS an regular UNIX system, geeks are used to.
Featuring system disk encryption, and ports system installation.
This guide is written for Mac OS X 10.7 Lion -- but remember: since Rosetta
is missing, Lion won't run any older PPC application (even not FCP 6).
1] clean install
==============
First we have to do a clean installation of Mac OS X. It's not quitte usual,
because Mac OS X doesn't require constant reinstallation as seen on Windows.
But since we don't know all the software on the computer, we acquired (it
might be even second hand mac), let's do a clean format of system drive and
clean installation of Mac OS, focused on sanity.
1a] get installation media (ISO or DVD)
// in case of Mac OS X 10.7 Lion around 4.5 GB
1b] prepare flash disk with install media
// you can burn the iso image on dvd as well
// if the iso image is bigger than 4.5GB, use dual-layer DVD
Under Disk Utility (Applications/Utilities) first erase the flash drive
(filesystem Mac OS Extended)
Then click "restore" and in "Source" drag-and-drop .iso file with
installation media.
In "Destination" drag-and-drop the flash drive.
Click "Restore".
// optionaly, if you know how, you can do with "dd" command-line tool
//
// if there are problems with Disk Utility, you'll have to resort to dd
// anyway:
//
// dd bs=1M if=source_media.iso of=/dev/yourflashdrivedevice
//
//
// mac os x 10.7 cannot dd if flash stick was ejected using GUI
// instead of it, use:
//
// hdiutil umountDisk /dev/yourflashdrivedevice
1c] Boot up from the flash disk or DVD.
Insert the media, hold ALT (Option) key during early startup.
Menu appears -- choose an installation media here and wait till it boots.
1d] Disconnect the Internet.
Unplug the Internet connection cable (if any). Since we don't have the
computer network interface under control, we won't allow Apple.com to mess
up with our computer during installation.
// Optionally you can disable the Internet connection on upstream firewall.
// Unplugging the computer and checking unavailibility of wi-fi is safe.
1e] Let's format the system disk.
(Mac OS X calls it "Erase"). In the installation software, there is a menu
on the top of the screen, similary to the rest of Mac OS X.
Choose Utilities > Disk Utility.
Erase the system disk using Erase function of Disk Utility. Choose
filesystem "Mac OS Extended" (case-sensitive, journaled, encrypted).
// Journal will help you in case of sudden loss of power.
// Case sensitivity is the feature of modern UNIX system, so let's use it.
// If you select 'encrypted', your system drive will be encrypted and
// password asked during boot -- this can avoid annoying problems with
// filevault2 installation (especially when you miss a Recovery HD)
Under "Security options" you can choose the method of formating the drive.
Previous data can reside onto the disk even after format, if they are not
overwritten.
Choose precission (safety) of formatting. The more paranoia, the more
rewrittes.
// Single pass rewrite (zero out data) lasts around 2 hours on 1TB drive.
1f] Then install the system. Easy as intended in Redmond and Cupertino.
2] privilege separation
=====================
During installation, you will be asked for first user's name.
It's important to separe "normal user account" for daily work and
"administrator account". Only later will have permissions to change the
system and any time, you'll be doing something with system settings or files,
you'll be asked admin's password. So first create 'master' (or whatever name)
account, user account can be created later.
3] application firewall
====================
After fresh installation, install a firewall software. You can use UNIX
firewall built into Mac OS X, or use application firewall GUI called Little
Snitch (or it's clone, "Hands Off!"). This will prevent the system to talk
over the Internet behind your back, based on rules set for particular
applications or daemons.
In Little Snitch configuration I disable the default rules for:
Any connection to icloud.com
App Store
AppleIDAuthAgent
applepushserviced
quicklookconfig
storeagent
XProtectUpdate
I won't use any of those service, especially not Apple Store and icloud,
since I affraid of data leak.
During the time, some other attempts of system services to connect elsewhere
out occur. Just judge carefuly, which you want to allow.
// Little Snitch in recent versions does have strange functionality -- it
// prevents to access the web all the application except itself. Someone
// who used cracked version, was surprised by LS connecting the developer
// site and checking serial number, even when forbidden by it's own rules.
// Code obfuscation was employed, according to reverse enginers. LS clone
// "Hands Off!" doesn't seem to exhibit these features.
// https://sentinelone.com/blogs/shut-snitch-reverse-engineering-exploiting-critical-little-snitch-vulnerability-reverse-engineering-mac-os-x/
4] software update
================
Apple in the corner > Software Update ...
If you wish. This will make an traceable request to apple's servers.
On the other hand, this is the only official way, how to patch known system bugs.
// lion is the last version of mac os x, which doesn't use appstore to
// update software
// to install updates on command-line, see:
// http://osxdaily.com/2011/01/13/install-mac-os-x-software-updates-terminal/
5] xcode
======
Mac OS X is equiped with some standard unix tools (ad it's an unix,
based on freebsd actually), but missing compilers and header files.
Those you can get under the name Xcode and especially "Xcode commad-line
tools" from developer.apple.com.
// http://www.linuxforu.com/2013/04/os-x-command-line-tools/
Since the download requires registration and licence agreenments,
you can consider other ways of getting.
// don't forget to get the right version:
// mac os x lion and mountain lion = xcode4
// mac os x snow leopard = xcode3
7] macports
========
Now you can install "macports" from www.macports.org. Macports is ports
collection for Mac OS X, which allows you to install all your favorite CLI
soft. Key command is "port", which has to be executed as admin (or root).
sudo port selfupdate
// synchronise ports collection via rsync
sudo port search packagenamewhatever
// search for port in a local ports database
sudo port install packagenamewhatever
// installs a package
all the ports are installed under /opt/local
you should add a PATH /opt/local/bin and /opt/local/sbin and
MANPATH variable to your shell configuration
then the ports commands will be executed properly
to keep the installed ports up-to-date, you can run sequence:
sudo port selfupdate
sudo port upgrade outdated
time to time. it downloads the updated sources for all the installed ports and
rebuilds them.
it sometimes stucks on some port, then use -vvv command option top debug the
problem or try to deinstall or upgrade problematic port individually.
to clean up the source codes and make a more disk space, use:
sudo port clean all
and
sudo port uninstall inactive
7a] hints for advanced:
===================
* if you wish all the ports built from source (and avoid downloading
pre-compiled packages), change setting to:
buildfromsource always
in:
/opt/local/etc/macports/macports.conf
* to speed-up building, you can disable spotlight indexing of all the
source files (in most cases unnecessary) and portfiles in:
System Preferences > Spotlight > Privacy
add /opt/local/
* since there are few security updates provided by apple for basic tools,
you can choose to prefer port versions, by putting /opt/local/bin and
/opt/local/sbin in your PATH setting *before* /bin /sbin /usr/bin and
/usr/sbin
8] get the root
============
Boot into single-user mode (press Apple-S), do fsck and remount system
read-write, as suggested on the screen. Then:
passwd
// change the root's password
reboot
// You can do this with any Mac machine you meet
9] recovery partition
===================
Out of factory, Apples are equipped with 'Recovery HD' hidden partition which
can be booted pressing CMD+R, during startup sound (or by pressing ALT and
choosing 'recovery hd').
On a brand new disk, the installer (10.7.X) won't create Recovery partition
itself, but can be created manually. Usable if problems occur, you still
have an emergency system with terminal, disk utility, bios password utility
etc.
// Receipe in CLI:
// http://apple.stackexchange.com/a/52916
10] full disk encryption
====================
If you wish, you can experiment with FileVault2, Apple's Full disk
encryption system. But please keep in mind that it's proprietary software
which may contain backdoors (unknown masterkey or so) and thus shouldn't be
considered secure. It's also dependent on the strenght of password (use long
one).
commands to explore:
# basic commands list
diskutil corestorage
or
diskutil cs
# list the volumes
diskutil corestorage list
#encrypt disk
diskutil corestorage convert /dev/diskXsX -passphrase
#where /dev/diskXsX is a drive to encrypt and password is asked
#take it back, if confused
diskutil revert XXX-XXXX-XXXXX-XXXXXX
# where XXX is UUID got from diskutil corestorage list
you can encrypt even the boot disk, you need a recovery partition on the
drive to do so.
you'll be asked disk password during boot.
details:
// http://blog.fosketts.net/2011/08/05/undocumented-corestorage-commands/
and
man diskutil
11] goodies
========
a] verbose boot
sudo nvram boot-args="-v"
// set "verbose" mode on boot-up -- this will show all the text output
// during the boot, not only the white screen with bio-degradable waste
b] locale
if you want your terminal to work properly with utf-8 encoded chars, you
should set your locale to utf-8 something.
furthermore, you can get strange tar error messages during some software
installation:
tar: Failed to set default locale
that's the locale problem.
// if you are using tcsh, set following in ~/.tcshrc:
setenv LC_ALL en_US.UTF-8
setenv LANG en_EN.UTF-8
// and check by command:
locale
output should be something like this:
LANG="en_EN.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
/////// REMARK
Overall impression of Lion OS is comming dependency on Apple's services.
AppStore, iTunes, iCloud and others will be built into your computer.
You will be offered to store ('backup') data on apple's servers, disclose
your contacts, personal information, telephone and card numbers to os's
manufacturer in a near future.
EOF
Comments requested
~~~~~~~~~
Binary Sxizophreny - index of comp related stuffKangaroo's Homepage (czech)